Well, the folks at lab126 have fixed their update script to not mount the root filesystem as writable until after the update has been extracted. This means that the current method of using a tarbomb to place our own digital signing certificate on the device is now useless.

We'll keep looking for other ways in. The Kindle Apps might be a possible solution.